﻿using System;
using System.Collections.Generic;
using System.Data;
using System.Data.SqlClient;
using System.Linq;
using System.Web;
using System.Web.Providers.Entities;
using System.Web.UI;
using System.Web.UI.WebControls;

namespace cls.u_Models
{
    public partial class BackorderMgr : System.Web.UI.Page
    {
        //static String UserName = User.Identity.Name;
        //static String UserName = "";
        //String OrgCode = GetOrgCodeByUserName(UserName);
        //String OrgName = GetOrgNameByUserName(UserName);
        static String OrgCode = "";
        static String OrgName = "";


        protected void Page_Load(object sender, EventArgs e)
        {
            String UserName = User.Identity.Name;
            //String OrgCode = GetOrgCodeByUserName(UserName);
            //String OrgName = GetOrgNameByUserName(UserName);
            OrgCode = GetOrgCodeByUserName(UserName);
            OrgName = GetOrgNameByUserName(UserName);

            Label_UserName.Text = UserName;
            //Label_OrgName.Text = GetOrgCodeByUserName(UserName) + "-" + GetOrgNameByUserName(UserName);
            Label_OrgName.Text = OrgCode + "-" + OrgName;

            //数据库列类型是Char(4)，所以要.Trim()
            if (OrgCode.Trim().Equals("ZB"))
            {
                Label_NavLink.Text = "<ol>";
                //Label_NavLink.Text += "<li><a href=\"../u_ExcelFiles/缺货管控表（模版）.xlsx\">下载《缺货管控表（模版）》</a></li>";
                Label_NavLink.Text += "<li><a href=\"FileUpload.aspx?App=Backorder&OrgCode=ZB\">上传缺货管控表</a>（总部测试用）</li>";
                Label_NavLink.Text += "<li><a href=\"ShowBackorder.aspx\">查看缺货管控表电子表单</a></li>";
                //Label_NavLink.Text += "<li><a href=\"BackorderUserMgr.aspx\">用户管理</a></li>";
                Label_NavLink.Text += "</ol>";
            }
            else
            {
                Label_NavLink.Text = "<ol>";
                Label_NavLink.Text += "<li><a href=\"../u_ExcelFiles/缺货管控表（模版）.xlsx\">下载《缺货管控表（模版）》</a></li>";
                Label_NavLink.Text += "<li><a href=\"FileUpload.aspx?App=Backorder&OrgCode=" + OrgCode + "\">上传缺货管控表</a></li>";
                Label_NavLink.Text += "<li><a href=\"ShowBackorder.aspx\">查看缺货管控表电子表单</a></li>";
                Label_NavLink.Text += "</ol>";
            }
        }
        static protected SqlConnection GetSqlConnection(String db_Name)
        {
            SqlConnection SqlConnection = new SqlConnection("Data Source=192.168.0.241;Initial Catalog=" + db_Name + ";Persist Security Info=True;User ID=sa;Password=My.SA");
            return SqlConnection;
        }

        static protected String GetUserName()
        {
            String UserName = "User.Identity.Name";

            return UserName;
        }

        static protected String GetOrgCodeByUserName(String userName)
        {
            String OrgCode = "";

            SqlConnection SqlConnection = GetSqlConnection("cls_forms_db");
            SqlConnection.Open();

            //不安全的写法
            //CA2100	检查 SQL 查询是否存在安全漏洞	
            //传递给 'BackorderMgr.GetOrgCodeByUserName(string)' 中的 'SqlCommand.SqlCommand(string, SqlConnection)' 的查询字符串可能包含以下变量 'UserName'。如果其中的任意变量可能来自用户输入，请考虑使用存储过程或参数化 SQL 查询，而不是通过字符串串联来生成查询。	
            //cls	BackorderMgr.aspx.cs	71
            //
            //SqlCommand SelectCommand = new SqlCommand("SELECT OrgCode FROM u_cls_Org WHERE Id = (SELECT OrgId FROM u_cls_UserInOrg WHERE UserName = '" + UserName + "')", SqlConnection);
            //
            //安全的写法
            SqlCommand SelectCommand = new SqlCommand("SELECT OrgCode FROM u_cls_Org WHERE Id = (SELECT OrgId FROM u_cls_UserInOrg WHERE UserName=@UserName)", SqlConnection);

            SelectCommand.Parameters.Add("@UserName", SqlDbType.NVarChar, 4);
            SelectCommand.Parameters["@UserName"].Value = userName;

            SqlDataReader ResReader = SelectCommand.ExecuteReader();

            while (ResReader.Read())
            {
                //还是分开取得比较好，后面还有单独用到OrgCode的地方......
                //OrgCode = ResReader["OrgCode"].ToString() + "-" + ResReader["OrgName"].ToString();  
                OrgCode = ResReader["OrgCode"].ToString();
            }

            ResReader.Close();
            SelectCommand.Dispose();
            SqlConnection.Close();

            return OrgCode;
        }

        static protected String GetOrgNameByUserName(String userName)
        {
            String OrgName = "";

            SqlConnection SqlConnection = GetSqlConnection("cls_forms_db");
            SqlConnection.Open();

            SqlCommand SelectCommand = new SqlCommand("SELECT OrgName FROM u_cls_Org WHERE Id = (SELECT OrgId FROM u_cls_UserInOrg WHERE UserName=@UserName)", SqlConnection);

            SelectCommand.Parameters.Add("@UserName", SqlDbType.NVarChar, 4);
            SelectCommand.Parameters["@UserName"].Value = userName;

            SqlDataReader ResReader = SelectCommand.ExecuteReader();

            while (ResReader.Read())
            {
                //还是分开取得比较好，后面还有单独用到OrgCode的地方......
                //OrgCode = ResReader["OrgCode"].ToString() + "-" + ResReader["OrgName"].ToString();  
                OrgName = ResReader["OrgName"].ToString();
            }

            ResReader.Close();
            SelectCommand.Dispose();
            SqlConnection.Close();

            return OrgName;
        }
    }
}